They pulled pieces and parts of ICU, using GCC 3.4.3 to compile each, or else compiled the static ICU lib with GCC 3.4.3. They then compiled those/that into the project with GCC 4.1.2. They did the system ICU build with 4.2.1. I suppose I could actually follow this with a little more objdump work.

The pieces and parts idea could explain the symbols problem, but then the source would be different.

I don't know the details of building the browser. I didn't do it often, and that was many years ago. It was always done by its developers.

I always tried to cleanly isolate the builds of ported components in Builder recipes and resource packages, so I maintained the GCC and ICU packages, but we didn't get to the other libraries in Webster. It sounds like only JavaScriptCore needs the older GCC, but ICU is a mesh of the external package and some ICU source merged into Webster. Webster is Syllable's largest application, so I couldn't prod the others too much to adapt it.

Thanks for the historical perspective. I guess it doesn't really matter how it all came together back then. It was probably a matter of expedience. Anyway, I'll try to homogenize Webster with the ICU libs so as to use only the current system GCC. I'm redoing all the browser back ends, for the operating systems that I use: FreeBSD, Haiku, and Syllable - to use polarssl only.

With libcurl using openssl and/or gnutls, the dependency list is something like:

Nothing is perfect. Even polarssl probably has its share of CVEs. But we all take our chances the way we see fit - I guess. The openssl lib in Syllable is pretty dated.

I like the perfect forward secrecy cipher suites, without elliptical curves. So, those would be the DHE series, but not the ECDHE series. It's nice to be able to select specific things like that in a program build, and polarssl makes it pretty easy to do that - IMO. I tend to be the pedant in these matters .

Sounds good. I tended to contribute an overview look, so I don't know about the details of encryption, but I do know the mainstream software used for it is a mess like most. LibreSSL would already be better.

OpenSSL has usually been painless to update, except we haven't made the switch to 1.0 yet.

Ironically, there is big news out today that PolarSSL has been acquired by ARM Ltd. They say PolarSSL will be rebranded under the ARM TLS name, and re-released under an Apache license. Guess that's good news for the Dutch company from your neck of the woods.